TRICK: Time and Range Integrity ChecK using Low Earth Orbiting Satellite for Securing GNSS

TL;DR

TRICK addresses GNSS spoofing by fusing authenticated GNSS broadcast data with two distance-bounding measurements via a trusted LEO satellite to form an ellipsoidal constraint that bounds a user’s position and the clock bias. Unlike classical VM, TRICK requires only two-way ranging with a single LEO reference (or two measurements with moving/dual-LEO) and leverages broadcast signals to achieve VM-like guarantees with reduced infrastructure and communication overhead. The approach introduces an offset term for asynchronous downlinks, provides two integrity checks (geometric containment and sum residuals), and demonstrates resilience against forward and backward delay attacks, showing practical viability for secure PNT and clock synchronization. With analyses and simulations, TRICK demonstrates detection of spoofing, improved availability over VM in global scenarios, and seamless potential integration with 5G-NTN and distributed anchors, underscoring its operational impact for scalable, secure positioning at global scale.

Abstract

Global Navigation Satellite Systems (GNSS) provide Positioning, Navigation, and Timing (PNT) information to over 4 billion devices worldwide. Despite its pervasive use in safety critical and high precision applications, GNSS remains vulnerable to spoofing attacks. Cryptographic enhancements, such as the use of TESLA protocol in Galileo, to provide navigation message authentication do not mitigate time of arrival manipulations. In this paper, we propose TRICK, a primitive for secure positioning that closes this gap by introducing a fundamentally new approach that only requires two way communications with a single reference node along with multiple broadcast signals. Unlike classical Verifiable Multilateration (VM), which requires establishing two way communication with each reference nodes, our solution relies on only two measurements with a trusted Low Earth Orbiting (LEO) satellite and combines broadcast navigation signals. We rigorously prove that combining the LEO satellite based two way range measurements and multiple one way ranges such as from broadcast signals of GNSS into ellipsoidal constraint restores the same guarantees as offered by VM whilst using minimal infrastructure and message exchanges. Through detailed analysis, we show that our approach reliably detects spoofing attempts while adding negligible computation overhead.

Figures (13)

• Figure 1: Major problems solved by our proposed mechanisms in TRICK.
• Figure 2: Protocol for performing VM. The described scenario assumes two way communication between UE and each of the LEO satellites.
• Figure 3: The proposed protocol according to the mechanisms of TRICK to build ellipse based primitive needed for secure positioning.
• Figure 4: A Scenario where the downlink transmission of LEO satellite is not synchronized with the GNSS satellites.
• Figure 5: Left: A single TWR and broadcast measurement forms ellipses that only increase. However, UE cannot detect spoofing due to lack of closed regions. Middle: Two time separated measurements with a moving LEO form secure triangles with GNSS, enabling spoofing detection. Right: Instant spoofing detection is possible via measurements with two LEO satellites.